headers
Philip Martin | 8 Aug 2012 19:40
Favicon

1.7.6 Candidates

Subversion 1.7.6 tarballs are now available for testing/signing by
committers. To obtain them please check out a working copy from
https://dist.apache.org/repos/dist/dev/subversion

Please add your signatures to the .asc files there.
You can use the release.py script for this:

 release.py sign-candidates --target /path/to/dist/dev/subversion/wc 1.7.6

Downstream packagers, please keep in mind that this release is not
blessed yet. Please do not distribute binaries compiled from these
sources before the release has been officially announced. This release
may still be pulled and supplanted by a different one (with a new
version number) in case of unforeseen problems during the testing phase.

--

-- 
Certified & Supported Apache Subversion Downloads:
http://www.wandisco.com/subversion/download
Permalink | Reply |
headers
Hyrum K Wright | 9 Aug 2012 00:29
Gravatar

Re: 1.7.6 Candidates

On Wed, Aug 8, 2012 at 1:40 PM, Philip Martin
<philip.martin <at> wandisco.com> wrote:
> Subversion 1.7.6 tarballs are now available for testing/signing by
> committers. To obtain them please check out a working copy from
> https://dist.apache.org/repos/dist/dev/subversion
>
> Please add your signatures to the .asc files there.
> You can use the release.py script for this:
>
>  release.py sign-candidates --target /path/to/dist/dev/subversion/wc 1.7.6
>
> Downstream packagers, please keep in mind that this release is not
> blessed yet. Please do not distribute binaries compiled from these
> sources before the release has been officially announced. This release
> may still be pulled and supplanted by a different one (with a new
> version number) in case of unforeseen problems during the testing phase.

Thanks for rolling these, I'll give 'em a spin.

Don't forget to create the tag and bump the version numbers on the branch.

-Hyrum
Permalink | Reply |
headers
C. Michael Pilato | 9 Aug 2012 18:08
Favicon
Gravatar

Re: 1.7.6 Candidates

On 08/08/2012 01:40 PM, Philip Martin wrote:
> Subversion 1.7.6 tarballs are now available for testing/signing by
> committers. To obtain them please check out a working copy from
> https://dist.apache.org/repos/dist/dev/subversion
> 
> Please add your signatures to the .asc files there.
> You can use the release.py script for this:
> 
>  release.py sign-candidates --target /path/to/dist/dev/subversion/wc 1.7.6
> 
> Downstream packagers, please keep in mind that this release is not
> blessed yet. Please do not distribute binaries compiled from these
> sources before the release has been officially announced. This release
> may still be pulled and supplanted by a different one (with a new
> version number) in case of unforeseen problems during the testing phase.

I'm seeing an error across the board in prop_tests 35.  Looks at first
glance like the test suite is consulting ~/.subversion/config rather than
using the control runtime configuration that it should be using.  (I have
some trunk-isms in my runtime config that are causing errors in the tests.)
 I'll look into this.

--

-- 
C. Michael Pilato <cmpilato <at> collab.net>
CollabNet   <>   www.collab.net   <>   Enterprise Cloud Development
Permalink | Reply |
headers
C. Michael Pilato | 9 Aug 2012 18:18
Favicon
Gravatar

Re: 1.7.6 Candidates

On 08/09/2012 12:08 PM, C. Michael Pilato wrote:
> On 08/08/2012 01:40 PM, Philip Martin wrote:
>> Subversion 1.7.6 tarballs are now available for testing/signing by
>> committers. To obtain them please check out a working copy from
>> https://dist.apache.org/repos/dist/dev/subversion
>>
>> Please add your signatures to the .asc files there.
>> You can use the release.py script for this:
>>
>>  release.py sign-candidates --target /path/to/dist/dev/subversion/wc 1.7.6
>>
>> Downstream packagers, please keep in mind that this release is not
>> blessed yet. Please do not distribute binaries compiled from these
>> sources before the release has been officially announced. This release
>> may still be pulled and supplanted by a different one (with a new
>> version number) in case of unforeseen problems during the testing phase.
> 
> I'm seeing an error across the board in prop_tests 35.  Looks at first
> glance like the test suite is consulting ~/.subversion/config rather than
> using the control runtime configuration that it should be using.  (I have
> some trunk-isms in my runtime config that are causing errors in the tests.)
>  I'll look into this.

FIXED on trunk:
   Sending        prop_tests.py
   Transmitting file data .
   Committed revision 1371282.

To be clear, this problem is with the *test* only, not with Subversion.  It
will not negatively affect my evaluation and sign-off on 1.7.6.
(Continue reading)

Permalink | Reply |
headers
C. Michael Pilato | 9 Aug 2012 18:24
Favicon
Gravatar

Re: 1.7.6 Candidates

On 08/08/2012 01:40 PM, Philip Martin wrote:
> Subversion 1.7.6 tarballs are now available for testing/signing by
> committers. To obtain them please check out a working copy from
> https://dist.apache.org/repos/dist/dev/subversion

Summary:

   +1 to release.

Platform:

   Ubuntu 10.04.4 (lucid) Linux (x86)
   Python 2.6.5
   Ruby 1.8.7

Verified:

   I tested the following (with pre-installed dependencies):

      (local, svn, neon, serf) x (bdb, fsfs) + py + rb + ctypes-python

   All tests pass.

   (A local problem prevents me from testing swig-pl and javahl right now.)

SHA1 Checksums:

   c6332c4d70685f903020f5c8f3c6c496f556680f  subversion-1.7.6.tar.gz
   5b76a9f49e2c4bf064041a7d6b1bfcc3aa4ed068  subversion-1.7.6.tar.bz2
(Continue reading)

Permalink | Reply |
headers
Paul Burba | 9 Aug 2012 22:39
Picon

Re: 1.7.6 Candidates

On Wed, Aug 8, 2012 at 1:40 PM, Philip Martin
<philip.martin <at> wandisco.com> wrote:
> Subversion 1.7.6 tarballs are now available for testing/signing by
> committers. To obtain them please check out a working copy from
> https://dist.apache.org/repos/dist/dev/subversion
>
> Please add your signatures to the .asc files there.
> You can use the release.py script for this:
>
>  release.py sign-candidates --target /path/to/dist/dev/subversion/wc 1.7.6
>
> Downstream packagers, please keep in mind that this release is not
> blessed yet. Please do not distribute binaries compiled from these
> sources before the release has been officially announced. This release
> may still be pulled and supplanted by a different one (with a new
> version number) in case of unforeseen problems during the testing phase.
>
> --
> Certified & Supported Apache Subversion Downloads:
> http://www.wandisco.com/subversion/download

SUMMARY:
---------
+1 to release

VERIFIED:
---------
Other than the expected differences in
subversion/include/svn_version.h,
https://dist.apache.org/repos/dist/dev/subversion/subversion-1.7.6.zip
(Continue reading)

Permalink | Reply |
headers
Justin Erenkrantz | 10 Aug 2012 03:21
Gravatar

Re: 1.7.6 Candidates

On Wed, Aug 8, 2012 at 1:40 PM, Philip Martin
<philip.martin <at> wandisco.com> wrote:
> Subversion 1.7.6 tarballs are now available for testing/signing by
> committers. To obtain them please check out a working copy from
> https://dist.apache.org/repos/dist/dev/subversion

+1 for release.

Tested on Mac OS X 10.7.4.

All tests pass (even the one that C-Mike pointed out failed for him).

BTW, I used the release.py script...which signed all of the release
files.  *shrug*

Thanks!  -- justin
Permalink | Reply |
headers
Philip Martin | 10 Aug 2012 15:06
Favicon

Re: 1.7.6 Candidates

Justin Erenkrantz <justin <at> erenkrantz.com> writes:

> On Wed, Aug 8, 2012 at 1:40 PM, Philip Martin
> <philip.martin <at> wandisco.com> wrote:
>> Subversion 1.7.6 tarballs are now available for testing/signing by
>> committers. To obtain them please check out a working copy from
>> https://dist.apache.org/repos/dist/dev/subversion
>
> +1 for release.
>
> Tested on Mac OS X 10.7.4.
>
> All tests pass (even the one that C-Mike pointed out failed for him).
>
> BTW, I used the release.py script...which signed all of the release
> files.  *shrug*

You didn't have to commit all the files!  You can also sign the files
manually without using release.py.

I signed all the files as release manager but while I looked at the zip
file I didn't build/test it.  When signing releases in the past I signed
only the files I tested.  I suppose we should extend release.py to
support signing a subset.

--

-- 
Certified & Supported Apache Subversion Downloads:
http://www.wandisco.com/subversion/download
(Continue reading)

Permalink | Reply |
headers
Mark Phippard | 10 Aug 2012 15:30
Picon
Gravatar

Re: 1.7.6 Candidates

On Fri, Aug 10, 2012 at 9:06 AM, Philip Martin
<philip.martin <at> wandisco.com> wrote:
> Justin Erenkrantz <justin <at> erenkrantz.com> writes:
>
>> On Wed, Aug 8, 2012 at 1:40 PM, Philip Martin
>> <philip.martin <at> wandisco.com> wrote:
>>> Subversion 1.7.6 tarballs are now available for testing/signing by
>>> committers. To obtain them please check out a working copy from
>>> https://dist.apache.org/repos/dist/dev/subversion
>>
>> +1 for release.
>>
>> Tested on Mac OS X 10.7.4.
>>
>> All tests pass (even the one that C-Mike pointed out failed for him).
>>
>> BTW, I used the release.py script...which signed all of the release
>> files.  *shrug*
>
> You didn't have to commit all the files!  You can also sign the files
> manually without using release.py.
>
> I signed all the files as release manager but while I looked at the zip
> file I didn't build/test it.  When signing releases in the past I signed
> only the files I tested.  I suppose we should extend release.py to
> support signing a subset.

I have sometimes wondered why we do not all sign all of the files.
Purely from a gpg trust perspective isn't more signatures a good
thing?  As long as we are still properly counting the +1's we get for
(Continue reading)

Permalink | Reply |
headers
Daniel Shahaf | 11 Aug 2012 20:57

Re: 1.7.6 Candidates

Mark Phippard wrote on Fri, Aug 10, 2012 at 09:30:01 -0400:
> On Fri, Aug 10, 2012 at 9:06 AM, Philip Martin
> <philip.martin <at> wandisco.com> wrote:
> > Justin Erenkrantz <justin <at> erenkrantz.com> writes:
> >
> >> On Wed, Aug 8, 2012 at 1:40 PM, Philip Martin
> >> <philip.martin <at> wandisco.com> wrote:
> >>> Subversion 1.7.6 tarballs are now available for testing/signing by
> >>> committers. To obtain them please check out a working copy from
> >>> https://dist.apache.org/repos/dist/dev/subversion
> >>
> >> +1 for release.
> >>
> >> Tested on Mac OS X 10.7.4.
> >>
> >> All tests pass (even the one that C-Mike pointed out failed for him).
> >>
> >> BTW, I used the release.py script...which signed all of the release
> >> files.  *shrug*
> >
> > You didn't have to commit all the files!  You can also sign the files
> > manually without using release.py.
> >
> > I signed all the files as release manager but while I looked at the zip
> > file I didn't build/test it.  When signing releases in the past I signed
> > only the files I tested.  I suppose we should extend release.py to
> > support signing a subset.
> 
> I have sometimes wondered why we do not all sign all of the files.
(Continue reading)

Permalink | Reply |
headers
Mark Phippard | 12 Aug 2012 00:06
Picon
Gravatar

Re: 1.7.6 Candidates

On Sat, Aug 11, 2012 at 2:57 PM, Daniel Shahaf <d.s <at> daniel.shahaf.name> wrote:
> Mark Phippard wrote on Fri, Aug 10, 2012 at 09:30:01 -0400:
>> On Fri, Aug 10, 2012 at 9:06 AM, Philip Martin
>> <philip.martin <at> wandisco.com> wrote:
>> > Justin Erenkrantz <justin <at> erenkrantz.com> writes:
>> >
>> >> On Wed, Aug 8, 2012 at 1:40 PM, Philip Martin
>> >> <philip.martin <at> wandisco.com> wrote:
>> >>> Subversion 1.7.6 tarballs are now available for testing/signing by
>> >>> committers. To obtain them please check out a working copy from
>> >>> https://dist.apache.org/repos/dist/dev/subversion
>> >>
>> >> +1 for release.
>> >>
>> >> Tested on Mac OS X 10.7.4.
>> >>
>> >> All tests pass (even the one that C-Mike pointed out failed for him).
>> >>
>> >> BTW, I used the release.py script...which signed all of the release
>> >> files.  *shrug*
>> >
>> > You didn't have to commit all the files!  You can also sign the files
>> > manually without using release.py.
>> >
>> > I signed all the files as release manager but while I looked at the zip
>> > file I didn't build/test it.  When signing releases in the past I signed
>> > only the files I tested.  I suppose we should extend release.py to
>> > support signing a subset.
>>
>> I have sometimes wondered why we do not all sign all of the files.
(Continue reading)

Permalink | Reply |
headers
Ben Reser | 12 Aug 2012 06:06
Gravatar

Re: 1.7.6 Candidates

On Sat, Aug 11, 2012 at 3:06 PM, Mark Phippard <markphip <at> gmail.com> wrote:
> But if we still require three +1's from Windows testers and three from
> Unix testers does that not take care of it?  Paul and I tested and
> signed the Windows zip file.  Doesn't it make the signatures of the
> Unix tar's "better" if we also signed those?  Likewise, if C-Mike,
> Philip and Justin signed the Windows zip files it seems like that
> would also be "better".
>
> They would not be giving a binding Windows +1, just adding their
> signatures to the files.

Original intent was you'd sign the files you were voting on.  However,
the extra effort to track who's voting doesn't really seem to be too
onerous.  People are already posting saying what they're voting on.
So unless the release manager objects I don't see a problem with
signing all the files (and I did so).
Permalink | Reply |
headers
Daniel Shahaf | 12 Aug 2012 17:22

Re: 1.7.6 Candidates

Mark Phippard wrote on Sat, Aug 11, 2012 at 18:06:18 -0400:
> On Sat, Aug 11, 2012 at 2:57 PM, Daniel Shahaf <d.s <at> daniel.shahaf.name> wrote:
> > Mark Phippard wrote on Fri, Aug 10, 2012 at 09:30:01 -0400:
> >> On Fri, Aug 10, 2012 at 9:06 AM, Philip Martin
> >> <philip.martin <at> wandisco.com> wrote:
> >> > Justin Erenkrantz <justin <at> erenkrantz.com> writes:
> >> >
> >> >> On Wed, Aug 8, 2012 at 1:40 PM, Philip Martin
> >> >> <philip.martin <at> wandisco.com> wrote:
> >> >>> Subversion 1.7.6 tarballs are now available for testing/signing by
> >> >>> committers. To obtain them please check out a working copy from
> >> >>> https://dist.apache.org/repos/dist/dev/subversion
> >> >>
> >> >> +1 for release.
> >> >>
> >> >> Tested on Mac OS X 10.7.4.
> >> >>
> >> >> All tests pass (even the one that C-Mike pointed out failed for him).
> >> >>
> >> >> BTW, I used the release.py script...which signed all of the release
> >> >> files.  *shrug*
> >> >
> >> > You didn't have to commit all the files!  You can also sign the files
> >> > manually without using release.py.
> >> >
> >> > I signed all the files as release manager but while I looked at the zip
> >> > file I didn't build/test it.  When signing releases in the past I signed
> >> > only the files I tested.  I suppose we should extend release.py to
> >> > support signing a subset.
> >>
(Continue reading)

Permalink | Reply |
headers
Ben Reser | 12 Aug 2012 20:03
Gravatar

Re: 1.7.6 Candidates

On Sun, Aug 12, 2012 at 8:22 AM, Daniel Shahaf <d.s <at> daniel.shahaf.name> wrote:
> No.  It makes them worse.
>
> Unless of course you expanded the tar and diff'd it --ignore-eol-style
> against the zip you had built, in which case it does make them better.

Maybe I'm being obtuse but isn't everyone signing checking the code
against the branch (for every file they're signing)?  That should be
the absolute minimum anyone is doing before signing.  If you do it for
one file you can obviously do it for the others by comparing them.
The whole point of the signatures is to say "Yes this is really what
we intend to release."  Ignore the possibility of malicious RM.
Imagine the RM just makes a mistake and typoed the revision they
intended to release from?

Our release process should be ensuring that we release the code we
intend to release.

Which comes back to Daniel's suggestion.  We should make it as easy as
possible for people checking the release to do that.  The only concern
on my part here is that we need to pay very close attention to the
code we write to do that validation otherwise we become too dependent
on it and miss something.
Permalink | Reply |
headers
Johan Corveleyn | 12 Aug 2012 21:50
Picon

Re: 1.7.6 Candidates

On Sun, Aug 12, 2012 at 8:03 PM, Ben Reser <ben <at> reser.org> wrote:
> On Sun, Aug 12, 2012 at 8:22 AM, Daniel Shahaf <d.s <at> daniel.shahaf.name> wrote:
>> No.  It makes them worse.
>>
>> Unless of course you expanded the tar and diff'd it --ignore-eol-style
>> against the zip you had built, in which case it does make them better.
>
> Maybe I'm being obtuse but isn't everyone signing checking the code
> against the branch (for every file they're signing)?  That should be
> the absolute minimum anyone is doing before signing.

Well, I don't actually. But then again, I'm not stating that when I give my +1.

The community guide says [1]:
[[[
Signing a tarball means that you assert certain things about it. When
announcing your signature, indicate in the mail what steps you've
taken to verify that the tarball is correct, such as verifying the
contents against the proper tag in the repository. Running make check
over all RA layers and FS backends is also a good idea, as well as
building and testing the bindings.
]]]

So IIUC the most important thing is that you indicate explicitly what
you've done. In my case: testing several RA layers, and checking the
checksum and signatures.

[1] http://subversion.apache.org/docs/community-guide/releasing.html#tarball-signing

--

--
(Continue reading)

Permalink | Reply |
headers
Ben Reser | 12 Aug 2012 06:13
Gravatar

Re: 1.7.6 Candidates

On Sat, Aug 11, 2012 at 11:57 AM, Daniel Shahaf <d.s <at> daniel.shahaf.name> wrote:
> The idea is that a hypothetical malicious release manager could create
> tar.gz and tar.bz2 correctly but a malicious .zip file.
>
> We could write a release.py subcommand that compares the
> tar.gz/tar.bz2/zip to each other (and to the tag in svn.a.o).  Then
> people can run
>
> release.py intercompare-tarballs && release.py sign-tarballs

+1

I'd encourage that anyone who uses something like this should review
the code before using it to determine that the release packaging
matches.
Permalink | Reply |
headers
Mark Phippard | 10 Aug 2012 15:02
Picon
Gravatar

Re: 1.7.6 Candidates

+1 to release.  I committed my signature for the Windows zip

--

-- 
Thanks

Mark Phippard
http://markphip.blogspot.com/
Permalink | Reply |
headers
Johan Corveleyn | 10 Aug 2012 22:09
Picon

Re: 1.7.6 Candidates

On Wed, Aug 8, 2012 at 7:40 PM, Philip Martin
<philip.martin <at> wandisco.com> wrote:
> Subversion 1.7.6 tarballs are now available for testing/signing by
> committers. To obtain them please check out a working copy from
> https://dist.apache.org/repos/dist/dev/subversion
>
> Please add your signatures to the .asc files there.

Committed my signature of the Windows zip file.

Summary
-------
+1 to release

Platform
--------
Windows XP (32 bit) SP3
Microsoft Visual Studio 2008 Express

Verified
--------
signature and sha1 for subversion-1.7.6.zip

Tested
------
[ Release build ] x [ fsfs ] x [ file | svn | neon | serf ]

Results
-------
All tests pass
(Continue reading)

Permalink | Reply |
headers
Ben Reser | 12 Aug 2012 06:02
Gravatar

Re: 1.7.6 Candidates

On Wed, Aug 8, 2012 at 10:40 AM, Philip Martin
<philip.martin <at> wandisco.com> wrote:
> Subversion 1.7.6 tarballs are now available for testing/signing by
> committers. To obtain them please check out a working copy from
> https://dist.apache.org/repos/dist/dev/subversion

+1

Tested on OS X 10.7.4.

Dependencies:
Neon 0.29.6
All other dependencies the versions included with OS X.

Test Results:
Compared 1.7.x branch  <at> 1370777 with the tar.bz2.
Verified that tar file in both compressed files was identical.
Verified no-unexpected diffs between tar and zip.
[Release-Build] x [ fsfs ] x [ file | svn | http (neon) ]
Perl bindings
Python bindings (noted that Python tests on OS X are testing against
the installed dylib rather than the one in the build tree, was able to
work around this by setting DYLD_LIBRARY_PATH, see error message
below).
Built JavaHL (not tested since it tests the installed version).

Error from the check-swig-py:
ImportError: dlopen(/Users/breser/subversion/tar/subversion-1.7.6/subversion/bindings/swig/python/.libs/_core.so,
2): Library not loaded: /usr/local/lib/libsvn_swig_py-1.0.dylib
  Referenced from:
(Continue reading)

Permalink | Reply |
headers
Philip Martin | 13 Aug 2012 20:43
Favicon

Re: 1.7.6 Candidates

Philip Martin <philip.martin <at> wandisco.com> writes:

> Subversion 1.7.6 tarballs are now available for testing/signing by
> committers. To obtain them please check out a working copy from
> https://dist.apache.org/repos/dist/dev/subversion
>
> Please add your signatures to the .asc files there.

We have sufficient signatures so I'll be moving the files to
https://dist.apache.org/repos/dist/release/subversion
tomorrow to give them time to mirror before the release.  It will still
be possible to add signatures but such signatures might not be included
in the release announcement.

--

-- 
Certified & Supported Apache Subversion Downloads:
http://www.wandisco.com/subversion/download
Permalink | Reply |

Gmane